Citizen Lab found that the Korean Kakao Talk application for Android was altered to spy on Tibetan activists.

In the last months, new research has made it clearer than ever that every computer in the world is a potential target for Chinese government hackers. So perhaps it's no surprise that smartphones appear to be among those state-sponsored hackers' targets, too.

A report released Monday by the Citizen Lab, a group of information security researchers at the Munk School of Global Affairs at the University of Toronto, shows that Tibetan activists are being targeted with sophisticated malware designed to infect Android phones, allowing the malware's operator to steal the user's contacts and messages, and track his or her location.

Highly-targeted malware for Android phones isn't entirely new: antivirus firm Kaspersky turned up another example a week earlier. But this time, researchers found a new wrinkle: To pinpoint a target's location, data retrieved by the malware is designed to be combined with cell tower data from a telecommunications company. That's a strong hint, says Citizen Lab director Ron Deibert, that the malware was written not by unaffiliated hackers, but by the Chinese government, which has close ties to the country's phone carriers and could cross-reference the companies' data with its own.

"We don’t have a smoking gun that this is the Chinese government. But let’s face it," says Deibert. "When you add it all up, there’s really only one kind of organization for whom this information is useful. And we know that the Chinese have a very strong interest in tracking Tibetans, so it’s a strong set of circumstantial evidence."

Citizen Lab found that one of its contacts, a Tibetan activist, was sent an altered version of Kakao Talk, a mobile messaging app for Android, in an email that spoofed a message from a trusted contact. The malicious app was designed to periodically bundle the user's contacts and text message history in a file called "info.txt" that was sent to a remote server masquerading as Baidu, the most popular Chinese search engine. And when the malware's operator sent a certain code to the infected phone via text message, it was designed to hide that message and invisibly respond with information related to the mobile network and cell tower to which the user was connecting, data that could be combined with a database of cell tower locations maintained by a cellular carrier to pinpoint a phone's location.

Other signs further tie the malware to snoops who closely monitor activist communities in China. The masked server controlling the malware was called "android.uyghur.dnsd.me," a reference to Uyghur Muslim communities in Northwest China, many of whom have pushed for independence. And Kakao, the South Korean app redesigned to harbor the malware, had recently been recommended by a prominent Tibetan activist after security concerns were raised about Wechat, an alternative application offered by the Chinese firm Tencent. The message carrying the rigged app analyzed by Citizen Lab was in fact an exact copy of a real message from the Tibetan activist recommending Kakao.

"From a Tibetan point of view, we assume these attacks are coming either directly or indirectly from the Chinese government," says Lhadon Tethong, director of the Tibet Action Institute, which trains activists in computer security, pointing to the Uyghur reference as further evidence. "This is a problem we’ve faced for a long time [with PCs], but with the use of smart phones everyone is carrying a computer in their pocket. For the Chinese government, it’s the easiest way to do all of their surveillance."

Citizen Lab found that the rigged version of Kakao used an illegitimate certificate that would have prevented it from getting into the Google Play market for Android apps, and required the user to agree a longer list of permissions than the real Kakao. But Chinese users, who often install apps from other sources than the Play market, wouldn't necessarily spot those giveaways.

Citizen Lab also tested the Kakao malware against three major antivirus products for Android phones: Avast, Lookout, and Kaspersky's mobile product. None of the three detected the software as dangerous.

But the fact that the fake Kakao app's location tracking would only be useful in combination with telecom data is a telling sign of state-sponsored or military hackers, says Citizen Lab research Byron Sonne. "The chances of getting that [cell-tower data] without being a member of the actual company or not having access to their internal databases would minimal for a civilian," he says. "It's hard to come to any other conclusion."

"It’s clear that Chinese authorities want to disrupt our work and make us spend time on this kind of thing rather than the work of advocacy or organizing," says the Tibet Action Institute's Tethong, citing computer spyware attacks that have been against her fellow activists for nearly a decade. "These mobile attacks are newer. And they're very alarming."